This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Peter,

    rats - missed it because I searched for winexesvc.exe ...
    It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.

    Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.

    Christian

  • Thanks Christian I've submitted a sample

  • Hi Peter,

     

    We are experiencing a similar situation to you (only on a much smaller scale).

    So far, only one of our endpoints has been flagged up as having this so-called Adware/PUA present.

    Have you heard anything back from Sophos in relation to this?

    Curious thing is, I cannot see the file in the C:\Windows folder. I temporarily authorised the .exe, but haven't had a recurrence.

    Best regards,

     

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • Hi Christian,

     

    I have found the smoking gun

     

    An update is being performed of some monitoring agents, the upgrade leverages WinExeSvc as part of the process

     

    That explains the sudden flood of alerts

     

    Thanks for your help

     

    Mystery solved

     

    Regards

    Peter

  • Hi Peter,

    Just out of curiosity, what monitoring agent are you guys using? Also, how were you able to tie it to the winexesvc PUA? As of this morning, we have a couple hundred instances as well. Thanks!

  • Hi A1315,

     

    The agent is in relation to some AlienVault appliances we have.

    Had a look at the installation info they supply for the agent and they mention that it could generate false alerts for "hacking tools" as it leverages WinExe

     

    Regards

    Peter